JP7398430B2 - Query-free device configuration decision-based techniques for mobile device management - Google Patents

Description

[0001] Mobile device management (MDM) is a technique for keeping employees productive and not violating corporate policies. Many organizations use MDM products/services to manage employee activities. MDM primarily deals with separating corporate data, securing emails, securing corporate documents on devices, enforcing corporate policies, and integrating and managing mobile devices, including laptops and various categories of handhelds. MDM can reduce support costs and business risks by controlling and securing the data and configuration settings of all mobile devices within an organization's network.

[0002] This Summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. This summary is not intended to identify key or essential features of the claimed subject matter or be used to limit the scope of the claimed subject matter.

[0003] Embodiments described herein are directed to managing device compliance of devices connected to a network, eg, an enterprise network. For example, a mobile device manager may provide configuration settings to a computing device that implements the configuration settings to comply with corporate policies (eg, data and/or security policies). The mobile device manager also maintains a local reference of each device's configuration settings implemented by the computing device. Then, when the mobile device manager performs a determination of whether the computing device remains compliant, the mobile device manager uses a local reference instead of explicitly querying the computing device for its settings. to determine the configuration of your computing device. The aforementioned techniques can be used to determine compliance of security baselines, determine compliance of Internet of Things (IoT) devices, and other types of devices such as devices utilized by business partners of a company that utilize the company's network. It can be extended to determining compliance.

[0004] Further features and advantages of the invention, as well as the structure and operation of various embodiments of the invention, are described in detail below with reference to the accompanying drawings. Note that the invention is not limited to the particular embodiments described herein. Such embodiments are presented herein for illustrative purposes only. Additional embodiments will be apparent to those skilled in the art based on the teachings contained herein.

[0005] The accompanying drawings, which are incorporated in and form a part of this specification, illustrate the embodiments and, together with the description, explain the principles of the embodiments and enable those skilled in the art to make and use the embodiments. and serve to enable its use.

[0006] FIG. 1 is a block diagram of a system for managing device compliance, according to an example embodiment. [0007] FIG. 2 is a block diagram of a system for managing device compliance that is a more detailed example of the system of FIG. 1, in accordance with an example embodiment. [0008] FIG. 2 is a flowchart of an example method for managing device compliance, according to an example embodiment. [0009] FIG. 1 is a block diagram of a system for managing device compliance, according to an example embodiment. [0010] FIG. 2 is a flowchart of an example method for determining whether a computing device remains in compliance with a compliance rule, according to an example embodiment. [0011] FIG. 2 is a block diagram of a system for determining whether a computing device remains in compliance with compliance rules, according to an embodiment. [0012] FIG. 1 is a block diagram of an example user device on which embodiments may be implemented. [0013] FIG. 1 is a block diagram of an example computing device that may be used to implement embodiments.

[0014] The features and advantages of the invention will become more apparent from the detailed description set forth below when taken in conjunction with the drawings, in which like reference characters identify corresponding elements throughout. In the drawings, like reference numbers generally indicate identical, functionally similar, and/or structurally similar elements. The drawing in which an element first appears is indicated by the left-most digit(s) in the corresponding reference number.
I. Introduction
[0015] The specification and accompanying drawings disclose one or more embodiments that incorporate features of the present invention. The scope of the invention is not limited to the disclosed embodiments. The disclosed embodiments are merely illustrative of the invention, and modified versions of the disclosed embodiments are also encompassed by the invention. Embodiments of the invention are defined by the claims appended hereto.

[0016] References herein to "one embodiment," "embodiment," "exemplary embodiment," etc. mean that the described embodiment may include the particular feature, structure, or characteristic. indicates that not all embodiments necessarily include a particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Additionally, when a particular feature, structure, or characteristic is described in connection with an embodiment, such feature, structure, or characteristic is described in connection with other embodiments, whether or not explicitly described. It is submitted that it is within the knowledge of a person skilled in the art to achieve the characteristics described above.

[0017] A number of exemplary embodiments are described below. Note that the section/subsection headings provided herein are not intended to be limiting. Embodiments are described throughout this document and any type of embodiment may be included under any section/subsection. Furthermore, the embodiments disclosed in any section/subsection may be combined in any manner with any other embodiments described in the same section/subsection and/or different sections/subsections.
II. Systems and methods for managing device compliance
[0018] Embodiments described herein are directed to managing device compliance of devices connected to a network, eg, a corporate network. For example, a mobile device manager at a server may provide configuration settings to a computing device that implements the configuration settings to comply with corporate policies (eg, data and/or security policies). The mobile device manager also maintains a local reference of each device's configuration settings implemented by the computing device. Then, when the mobile device manager performs a determination of whether the computing device remains compliant, the mobile device manager uses a local reference instead of explicitly querying the computing device for its settings. to determine the configuration of your computing device. The aforementioned techniques can be used to determine compliance of security baselines, determine compliance of Internet of Things (IoT) devices, and other types of devices such as devices utilized by business partners of a company that utilize the company's network. It can be extended to determining compliance.

[0019] The techniques described above establish trust between a mobile device manager and a computing device (i.e., device trust), such that the device maintains configuration settings and maintains the trust when such settings are changed. It is expected that the mobile device manager will be notified. Therefore, the local reference always reflects the configuration settings of a particular device, allowing the mobile device manager to determine the configuration settings of the device without querying the device. Such a technique would be more reliable than querying the device for settings. This is because both the query and the response to the query provided by the device are susceptible to errors (eg, transmission errors).

[0020] Furthermore, because compliance checks are performed without the need to query the computing device for its configuration settings, network traffic across the enterprise network is advantageously reduced, thereby conserving network bandwidth. release. Additionally, because the computing device no longer has to respond to numerous configuration queries from the mobile device manager, fewer computing resources are utilized by the computing device, and such technology allows for lower Power consumption is achieved.

[0021] Furthermore, the techniques described above provide improvements to other techniques, namely mobile device management. In other words, the queryless techniques described above do not require you to wait for the device to respond to a configuration setting query over the network, but instead refer to a local reference of configuration settings to determine the device's settings, allowing for compliance checks. becomes much faster.

[0022] FIG. 1 is a block diagram of a system 100 for managing device compliance, according to an embodiment. As shown in FIG. 1, system 100 includes a server 102, one or more computing devices 104, and one or more data stores 108 communicatively coupled via an enterprise network 110. Data store 108 may include one or more physical memory and/or storage devices. Data store 108 may be any type of physical memory and/or storage device described herein and/or as would be understood by one of ordinary skill in the art having the benefit of this disclosure. Enterprise network 110 interconnects enterprise devices (e.g., computing devices 104) at one or more enterprise locations to other enterprise devices so that enterprise devices can access computing resources and/or A private computer network established by a company for the purpose of allowing computing resources to be shared.

[0023] Computing device 104 is intended to represent a device utilized or otherwise accessible by members of an enterprise (eg, employees). As used herein, the term "enterprise" broadly refers to any of a wide variety of organizational types, including companies, nonprofit organizations, and government agencies. Users of computing device 104 may be referred to herein as "corporate users" or simply "users." Each of the computing devices 104 may include, for example and without limitation, a desktop computer, laptop computer, tablet computer, netbook, smartphone, etc. Additional examples of computing devices 104 are described below with reference to FIGS. 7 and 8.

[0024] Data store 108 is configured to store one or more configurations 112 for computing device 104. Each of the configurations 114 may specify one or more configuration settings for a particular computing device of the computing devices 104 and/or a particular user of each of the computing devices 104. Accordingly, each of the computing devices 104 may be associated with more than one of the configurations 114. For example, a first configuration of configurations 114 may be associated with a first user of a particular computing device, and a second configuration of configurations 114 may be associated with a first user of a particular computing device. 2 users. A configuration and a particular user of a particular computing device to which the configuration corresponds is referred to herein as a user device pair. Examples of configuration settings include encryption settings implemented by computing device 104, security settings implemented by computing device 104, at least one minimum version of an application, or a minimum version of an application that needs to be installed on computing device 104. Including, but not limited to, certain operating systems. The encryption settings may specify whether storage devices included in computing device 104 are encrypted (eg, via an encryption program such as, but not limited to, BitLoker ^™ ). The security settings may be configured regardless of whether code signing is to be performed by the computing device 104, whether a trusted platform module (TPM) is to be performed by the computing device 104, etc. A password policy (eg, setting password length to a minimum of 10 characters, 12 characters, etc.) may be specified to be enforced by computing device 104. It should be noted that the configuration settings described above are purely exemplary and other configuration settings may be used.

[0025] Server 102 may be configured to manage compliance of computing device 104 with respect to policies (eg, data and/or security policies) specified by an enterprise. Server 102 may also be referred to as a mobile device manager. Policies may be specified according to one or more compliance rules. For example, server 102 may include compliance engine 112. Compliance engine 112 may determine a configuration 114 to be provided to a particular one of computing devices 104 and provide the determined configuration thereto. The determined configuration may be compliant with the compliance rules. Compliance rules may be specified by an enterprise administrator (e.g., an IT administrator or other person within the enterprise who may be responsible for deploying, maintaining, and/or configuring computing devices 104 on behalf of enterprise users). . Each of computing devices 104 is configured to implement configuration settings specified by configuration 114 and provide acknowledgments to server 102. The acknowledgment indicates that the computing device has performed the configuration settings. Upon receiving the acknowledgment, the compliance engine 112 designates the computing device as being in compliance with the compliance rule from the received acknowledgment.

[0026] Compliance engine 112 may be further configured to maintain a local reference of configuration settings implemented by each of computing devices 104. Compliance engine 112 may be configured to determine whether a particular computing device 104 remains in compliance with the compliance rules using this reference. By doing so, the compliance engine 112 does not need to query the computing device 104 for its configuration settings, but simply needs to access the reference to determine the configuration settings implemented by the computing device 104. .

[0027] The system 100 of FIG. 1 may be implemented in a variety of ways in embodiments. For example, FIG. 2 depicts a detailed block diagram of a system 200 in accordance with an example embodiment. System 200 is an example of system 100. As shown in FIG. 2, system 200 includes a server 202, a computing device 204, a data store 208, a third party computing device 218, and an Internet of Things (IoT) device 220, each of which is connected to an enterprise network. 210. Server 202, computing device 204, data store 208, and enterprise network 210 are examples of server 102, computing device 104, data store 208, and enterprise network 110, respectively, as described above with reference to FIG. .

[0028] Data store 208 is configured to store different configurations for different types of devices. For example, as shown in FIG. 2, data store 208 may store device configurations 222, third party configurations 228, and original equipment manufacturer (OEM) configurations 226. Device configuration 222 may specify one or more configuration settings for computing device 204 and/or a particular user of computing device 204. OEM configuration 226 may specify configuration settings for IoT device 220 and third party configuration 228 may specify configuration settings for third party computing device 218. Data store 208 is also recommended by software developers (e.g., operating system (OS) developers) to keep such devices secure (computing device 204, third-party computing device 218, and/or A security baseline 224 may be stored that may specify configuration settings for a device (such as IoT device 220). Each of device configuration 222, third party configuration 228, OEM configuration 226, and security baseline 224 may be stored as a file (eg, an XML file, a text file, etc.). Additional details regarding device configuration 222, third party configuration 228, OEM configuration 226, and security baseline 224 are described below.

[0029] Device configuration 222 may specify configuration settings for computing device 204, which is a computing device maintained by an enterprise and issued to employees of the enterprise. Device configuration 222 may be specified by an enterprise administrator (eg, via a graphical user interface (GUI)). Device configuration 222 is specified according to one or more compliance rules 214 maintained by server 202. Compliance rules 214 may also be specified by an enterprise administrator (eg, via a GUI). Compliance rules 214 are utilized by devices connected to corporate network 210 (e.g., computing device 204, third-party computing device 218, and IoT device 220) to maintain compliance with policies specified by the enterprise. may specify configuration settings to be performed.

[0030] Server 202 may be configured to determine a device configuration 222 to be provided to computing device 204 and provide the determined configuration thereto. For example, when a user first logs in to a newly issued computing device, server 202 searches for device configurations 222 associated with the computing device and/or user and assigns device configurations 222 to the computing device. may be provided to a gaming device. As shown in FIG. 2, each of the computing devices 204 may be configured to run an agent 216 that is configured to implement configuration settings specified by the received device configuration. After implementing the configuration, agent 216 may provide acknowledgment to compliance engine 212. The acknowledgment indicates that computing device 204 has performed the configuration settings. Upon receiving the acknowledgment, compliance engine 212 designates the computing device as being in compliance with compliance rules 214 .

[0031] The server 204 may maintain a compliance record 232 that includes a designation for each user device pairing as to whether the particular user device pairing is compliant. For example, the compliance record 232 may comprise a data structure (e.g., a table) with multiple entries, each entry containing a particular pair of user devices and an indication as to whether the pair of user devices is compliant. Specify. Server 202 may be further configured to maintain a local configuration reference 230 of implemented configuration settings for each user device pairing. Configuration reference 230 may comprise a data structure (eg, a table) with multiple entries, each entry specifying a particular user device pair and the configuration settings implemented by that pair. It should be noted that the structure and/or configuration of configuration reference 230 and/or compliance record 232 described above is purely exemplary, and other structures and/or configurations may be used.

[0032] Compliance engine 212 may be configured to determine whether computing device 204 remains in compliance with compliance rules using reference 230. By doing so, compliance engine 212 simply needs to access reference 230 to determine the configuration settings implemented by computing device 204 without having to query computing device 204 for the configuration settings. Compliance engine 212 may determine whether computing device 204 remains compliant upon detecting a trigger event.

[0033] According to embodiments, the triggering event is the expiration of a predetermined period of time. According to such embodiments, compliance engine 212 may periodically compare compliance rules 214 to configuration settings of computing device 204. Over time, compliance rules 214 may be modified by an administrator of the enterprise. Accordingly, compliance engine 212 may periodically determine whether configuration settings implemented by computing device 204 are in compliance with compliance rules 214 by using reference 230. For example, compliance engine 212 searches for configuration settings utilized by computing device 204 using reference 230 and compares the configuration settings to compliance rules 214 to determine whether the configuration settings are compliant. It can be determined whether or not. If the compliance settings are out of compliance with compliance rules 214, compliance engine 212 may determine that computing device 204 is no longer compliant. If the compliance settings are in compliance with compliance rules 214, compliance engine 212 may determine that computing device 204 remains compliant.

[0034] According to another embodiment, the trigger event is an indication from computing device 204 that a configuration setting has changed. For example, a user of a particular one of computing devices 204 and/or an application running on computing device 204 may change configuration settings. Agent 216 may be configured to provide notifications to compliance engine 212 in response to changes in configuration settings. This notification may specify which settings have been changed. Upon receiving a notification from a particular computing device, compliance engine 212 determines whether the particular computing device is no longer in compliance with compliance rules 214 due to the changed settings. For example, compliance engine 212 may compare the configuration settings indicated in the notification to compliance rules 214 to determine whether the changed settings are in compliance with compliance rules 214. If the configuration settings are in compliance with compliance rules 214, compliance engine 212 may determine that the particular computing device remains compliant.

[0035] If the configuration settings are not in compliance with the compliance rules 214, the compliance engine 212 determines that the particular computing device is no longer compliant and identifies the computing device in the compliance record 232. designation to indicate that the computing device is no longer compliant. Compliance engine 212 may also prevent such computing devices from accessing resources accessible via corporate network 210. Such resources include, but are not limited to, email servers, data repositories, application servers, etc. Access to such resources may be blocked until computing device 204 is in compliance with compliance rules 214. For example, compliance engine 212 may send new configuration settings that are in compliance with compliance rules 214. Agent 216 may send an acknowledgment to compliance engine 212 upon implementing the new configuration settings. Upon receiving the acknowledgment, compliance engine 212 may designate computing device 204 as compliant and update compliance record 232 accordingly.

[0036] According to embodiments, agent 216 is configured to maintain configuration settings provided by server 202. For example, in the event that a user or application running on a computing device attempts to change a configuration setting, agent 216 may prevent the change from occurring and/or roll back the change. In the event that agent 216 is unable to prevent and/or roll back the configuration settings, agent 216 may send a notification to compliance engine 212 indicating the changed settings.

[0037] According to a further embodiment, the triggering event is an indication that a user has logged into the corporate network 210 via a computing device (eg, computing device 204). For example, the computing device may be configured to provide notifications to the server 202 in response to a user logging into the computing device. Upon receiving the notification, compliance engine 212 uses reference 230 to locate the configuration settings utilized by computing device 204 for the logged in user (i.e., for the user device pair) and determines the configuration. The settings may be compared to compliance rules 214 to determine whether the configuration settings are compliant. If the compliance settings are out of compliance with compliance rules 214, compliance engine 212 may determine that computing device 204 is no longer compliant. If the compliance settings are in compliance with compliance rules 214, compliance engine 212 may determine that computing device 204 remains compliant. The foregoing allows compliance engine 212 to apply compliance to user device pairs without having to constantly push down configuration settings each time a user logs on to a particular device. This immediately enforces compliance in a multi-user environment if compliance is being evaluated on a per-user basis. For example, when a different user logs into a device, compliance engine 212 checks the configuration settings already in place for that pair of user devices by accessing reference 230 to the configuration settings stored by server 202. may simply determine whether there is a difference between the configuration settings already implemented by the device and the compliance rules 214. If there is no difference, the device is immediately designated as compliant in compliance record 232. The foregoing is accomplished without the need for server 202 to re-query the device for its current configuration settings. In contrast, previous techniques required a server to push down user-specific settings to the device and then query the device for the settings each time a user logged on. The server must then designate the device as compliant after comparing the configuration received from the device to the compliance rules. The techniques described above completely eliminate this back-and-forth communication if the existing configuration already implemented by the device is in compliance with the compliance rules 214.

[0038] If there is a discrepancy, compliance engine 212 may update the designation of compliance record 232 for such computing device 204 to indicate that such device is no longer compliant. Compliance engine 212 may also prevent such computing devices 204 from accessing resources accessible via corporate network 210. Such resources include, but are not limited to, email servers, data repositories, application servers, etc. Access to such resources may be blocked until computing device 204 is in compliance with compliance rules 214. For example, compliance engine 212 may send new configuration settings that are in compliance with compliance rules 214. Agent 216 may send an acknowledgment to compliance engine 212 upon implementing the new configuration settings. Upon receiving the acknowledgment, compliance engine 212 may designate computing device 204 as compliant by updating compliance record 232 accordingly.

[0039] The foregoing enables compliance engine 212 to advantageously determine compliance upon receiving an acknowledgment from computing device 204 without having to re-query the device for its settings. This temporarily prevents non-compliant users from accessing network resources. Previous techniques would have allowed users to continue accessing network resources while the server queried the computing device for configuration settings and compared the settings to compliance rules. The techniques disclosed herein prevent this by checking compliance immediately upon receiving an acknowledgment from agent 216. Additionally, these techniques improve the user experience when a compliant user logs on to a device that is being used by another non-compliant user. In previous techniques, when a compliant user logged on to a device, the device would be marked as non-compliant while the server queried the device for configuration settings. The techniques disclosed herein eliminate this problem by checking compliance using reference 230 as soon as a new user logs on to the device.

[0040] According to yet another embodiment, the trigger event is an indication that the compliance rule 214 has changed. For example, if an administrator makes a change to compliance rule 214, compliance engine 212 may receive an indication of this change. Upon receiving the indication, compliance engine 212 searches for configuration settings utilized by computing device 204 using reference 230 and compares the configuration settings to compliance rules 214 to determine whether the configuration settings are compliant. Compliance can be determined. If the configuration settings are in compliance with compliance rules 214, compliance engine 212 may determine that the particular computing device remains compliant.

[0041] If the configuration settings are not in compliance with the compliance rules 214, the compliance engine 212 determines that the particular computing device is no longer compliant and identifies the computing device in the compliance record 232. designation may be updated to indicate that the computing device is no longer compliant. Compliance engine 212 may also prevent such computing devices from accessing resources accessible through corporate network 210 until such computing devices become compliant.

[0042] Security baselines 224 may be published and released periodically by operating system (OS) developers as part of each OS release and are part of many companies' compliance standards. In a traditional scenario, enterprises would need to re-query their computing devices and re-evaluate the compliance of every pair of user devices in the organization with every OS update. This is a very costly process for businesses and prevents rapid adoption of the OS. To overcome such issues, when a new security baseline 224 is released for a new OS update, the compliance engine 212 queries the data store 208 for the security baseline 224 for the new OS version/update ( Alternatively, a company may use its own company-specific baseline to assess whether a new OS version/update brings the device's users into compliance. For example, the compliance engine 212 searches the configuration settings utilized by each user device pair using the reference 230 and compares the configuration settings to the security baseline 224 to ensure that the configuration settings are compliant. It can be determined whether the If the configuration settings are out of compliance with security baseline 224, compliance engine 212 determines that the user device pair is out of compliance. In response, compliance engine 212 may designate the user device pair as non-compliant, prevent access to corporate resources, and/or provide updated configuration settings to the associated computing device. obtain. If the compliance settings comply with the security baseline 224, the compliance engine 212 determines that the user device pair is compliant. The techniques described above allow compliance to be assessed instantly without requiring each user to log into a specific device.

[0043] IoT device 220 may be classified as secure by default and may have a default configuration configured by the manufacturer (also referred to as OEM) of such device. Examples of IoT devices 220 include, but are not limited to, video conferencing systems, printers, speakers, heating, ventilation, and air conditioning (HVAC) systems, and the like. The configuration of such a device may be stored in data store 208 (denoted as OEM configuration 226). The configuration settings of IoT device 220 are generally not changeable by end users and/or only by OEMs (eg, via software and/or hardware updates). To determine whether IoT devices 220 are compliant, compliance engine 212 queries data store 208 for OEM configurations 226 and identifies OEM configurations 226 for each of IoT devices 220 utilized by the enterprise. is compared with compliance rules 214 to determine whether OEM configuration 226 is compliant. If IoT device 220 is out of compliance, the organization may notify the manufacturer to update the configuration settings of such device so that IoT device 220 becomes compliant. If IoT device 220 is in compliance with the compliance rules, compliance engine 212 may designate such device in compliance record 232 as being compliant.

[0044] In the event that the OEM changes the device's configuration settings through an update, the OEM may provide the updated OEM configuration 226 to the enterprise and the compliance engine 212 may re-evaluate compliance. This advantageously allows compliance engine 212 to evaluate IoT devices 220 using OEM configuration 226 without having to evaluate each of IoT devices 220 by querying each device individually for its configuration. Allows batch processing.

[0045] Configuration settings may also be provided by a third party entity. For example, as shown in FIG. 2, third party configuration 228 specifies configuration settings for third party computing device 218. This may be a device associated with a business partner of the company. For example, employees of such partners may visit the enterprise for business purposes. Third party computing device 218 may be checked for compliance using third party configuration 228. The third party can provide the third-party configuration 228 to the enterprise before the third-party employee arrives at the enterprise's site, and the compliance engine 212 may configure the third-party computing device 218 to It can be determined whether compliance with the compliance rule 214 is observed. If the third party computing device 218 is out of compliance, the enterprise may notify the third party of the need to change the configuration of the device and notify the required configuration settings. The third party may update the configuration settings accordingly and provide the updated third party configuration 228 to the enterprise. Compliance engine 218 may then re-evaluate compliance using updated third-party configuration 228 and notify the third party whether third-party computing device 218 is currently compliant. This advantageously allows the third-party computing device 218 to arrive immediately after it connects to the corporate network 210 without having to wait for the company to manage the device and assess compliance. to have access to the corporate network 210 and its resources.

[0046] Accordingly, devices may be managed for compliance in a number of ways. For example, FIG. 3 depicts a flowchart 300 of an example method implemented by a server to manage device compliance, according to an example embodiment. The method of flowchart 300 will now be described with reference to system 400 of FIG. 4, but the method is not limited to its implementation. FIG. 4 is a block diagram of a system 400 for managing device compliance, according to another embodiment. As shown in FIG. 4, system 400 includes a server 402, one or more computing devices 404, and one or more data stores 408. Server 402, computing device 404, and data store 408 are communicatively coupled via enterprise network 410. Server 402, computing device 404, data store 408, and enterprise network 410 are examples of server 202, computing device 204, data store 208, and enterprise network 210 described above with reference to FIG. As further shown in FIG. Server 402 includes a compliance engine 412, one or more compliance rules 414, configuration references 430, and compliance records 432. Computing devices 404 each include an agent 416 and data store 408 includes a configuration 420. Compliance engine 412, compliance rule 414, configuration reference 430, compliance record 432, and agent 416 are each similar to compliance engine 212, compliance rule 214, configuration reference 230, compliance record 232, and agent 416, respectively, described above with reference to FIG. This is an example of agent 216. Configuration 420 is an example of device configuration 222, security baseline 224, OEM configuration 226, and/or third party configuration 228, as described above with reference to FIG. Other structural and operational embodiments will be apparent to those skilled in the art based on the discussion of flowchart 300 and FIG. 4 system 400.

[0047] As shown in FIG. 3, the method of flowchart 300 begins at step 302, where a server for a computing device accessible via a network communicatively coupling the server and the computing device. Configuration settings are determined. For example, as shown with reference to FIG. 4, server 402 determines the configuration settings of computing device 404 that is accessible via corporate network 410.

[0048] According to one or more embodiments, the configuration settings include encryption settings implemented by the computing device, security settings implemented by the computing device, or configuration settings that need to be installed on the computing device. Specifying at least one minimum version of at least one of the applications or operating system.

[0049] According to one or more embodiments, the configuration settings for the computing device identify a user logged into the computing device and determine configuration settings associated with the user and the computing device. It is determined by For example, an enterprise administrator may configure configuration settings differently for each computing device of computing devices 404 and/or for each user of a particular computing device of computing devices 404. It is possible. An administrator may ensure that such settings are in compliance with associated compliance rules 414. Such configuration settings may be stored in data store 408 as configuration 420. When a user first logs into a newly issued computing device, the server 402 determines the configuration from the data store 408 associated with the computing device and the user (i.e., user device pair); A configuration (such as configuration 401) may be searched.

[0050] At step 304, the configuration settings are sent to the computing device over the network. For example, as shown with reference to FIG. 4, server 402 sends configuration 401 to computing device 404 via network 410.

[0051] At step 306, a reference to the configuration settings is maintained at the server. For example, as shown with reference to FIG. 4, server 402 maintains a local configuration reference 430 for the configuration (ie, configuration 401) that is sent to computing device 404. Reference 430 may comprise a data structure (eg, a table) that maps configuration settings provided to a particular pair of user devices. For example, a data structure may specify which configuration settings are provided and implemented by a particular user device pair.

[0052] At step 308, an acknowledgment that the configuration settings have been performed is received from the computing device over the network. For example, as shown with reference to FIG. 4, agent 416 sends acknowledgment 403 to server 402 via corporate network 410. Acknowledgment 403 indicates that agent 416 has implemented the configuration settings specified by configuration 401 on computing device 404 .

[0053] At step 310, the computing device is designated as being in compliance with the compliance rule in response to receiving the acknowledgment. For example, as shown with reference to FIG. 4, compliance engine 412 may update entry compliance record 432 corresponding to computing device 404 to indicate that computing device 404 is compliant.

[0054] FIG. 5 depicts a flowchart 500 of an example method for determining whether a computing device is in compliance with a compliance rule, according to an example embodiment. The method of flowchart 500 will now be described with reference to system 600 of FIG. 6, but the method is not limited to its implementation. FIG. 6 is a block diagram of a system 600 for determining whether a computing device is in compliance with a compliance rule, according to an embodiment. As shown in FIG. 6, system 600 includes a server 602, one or more computing devices 604, and one or more data stores 608. Server 602, computing device 604, and data store 608 are communicatively coupled via enterprise network 610. Server 602, computing device 604, data store 608, and corporate network 610 are examples of server 402, computing device 404, data store 408, and corporate network 410, as described above with reference to FIG. As further shown in FIG. 6, server 602 includes a compliance engine 612, one or more compliance rules 614, configuration references 630, and compliance records 632. Computing device 604 includes an agent 616 and data store 608 includes a configuration 620. Compliance engine 612, compliance rules 614, configuration references 630, and compliance records 632, and agents 616, respectively, are configured as described above with reference to FIG. This is an example of a record 432 and an agent 416. Configuration 620 is an example of configuration 420, as described above with reference to FIG. Other structural and operational embodiments will be apparent to those skilled in the art based on the discussion of flowchart 500 and system 600 of FIG. 6.

[0055] As shown in FIG. 5, the method of flowchart 500 begins at step 502, where the computing device complies with compliance rules by comparing a reference to a configuration setting to a compliance rule in response to detection of a trigger event. A determination is made as to whether or not compliance with the rules continues to be observed. For example, as shown with reference to FIG. 6, compliance engine 612 may determine whether computing device 604 is in compliance with compliance rule 614 by comparing configuration reference 230 to compliance rule 214 in response to detection of a trigger event. Determine whether you continue to comply with the regulations. In response to determining that the computing device is no longer compliant, flow continues to step 504. If so, flow continues to step 506.

[0056] According to one or more embodiments, the triggering event may include expiration of a predetermined period of time, an indication received from the computing device that a second configuration setting of the computing device has changed; or at least one indication that the user has logged into the computing device. For example, as shown with reference to FIG. 6, compliance engine 612 may maintain a timer that upon expiration causes compliance engine 612 to request a The configuration settings of device 604 are compared to compliance rules 614. In another example, agent 616 may provide indication 601 to compliance engine 612 over network 610 that the second configuration setting of computing device 604 has changed. In another example, a particular computing device of computing device 604 indicates that a user has logged on to network 610 and/or that the computing device has logged on to server 602 via corporate network 610. An indication 603 may be provided.

[0057] At step 504, the computing device is prevented from accessing resources accessible through the network, and the computing device is designated as out of compliance with the compliance rules. For example, as shown with reference to FIG. 6, compliance engine 612 prevents computing device 604 from accessing resources accessible through corporate network 610 and prevents computing device 604 from accessing resources accessible via compliance rules 610. be designated as not complying with compliance. For example, compliance engine 612 may send command 607 to computing device 604 to disable access to resources on corporate network 610. Compliance engine 612 also updates the entry in compliance record 632 corresponding to computing device 604 to indicate that computing device 604 is no longer compliant.

[0058] According to one or more embodiments, the new configuration settings that are in compliance with the compliance rules are configured to configure the network in response to a determination that the computing device is no longer compliant. to a computing device. For example, as shown with reference to FIG. 6, an administrator may update configuration 420 to be in compliance with compliance rules 414. Compliance engine 612 may retrieve the updated configuration and/or transmit the updated configuration (denoted as configuration 405) to an agent via corporate network 610 implementing the specified new configuration settings. 616.

[0059] At step 506, the designation that the computing device is compliant is maintained. For example, as shown with reference to FIG. 6, compliance engine 612 maintains a designation in compliance record 632 that computing device 604 is in compliance with compliance rules 614.
III. Exemplary mobile and fixed device embodiments
[0060] The systems and methods described above, including the device compliance management embodiments described with reference to FIGS. 1-6, may be implemented in combination with hardware, or one or both of software and/or firmware. It can be implemented in hardware. For example, compliance engine 112, agent 116, compliance engine 212, compliance rule 214, configuration reference 230, compliance record 232, agent 216, compliance engine 412, compliance rule 414, configuration reference 430, compliance record 432, agent 416, and Each of the components described therein, as well as flowchart 300 and/or flowchart 500, may each include computer program code configured to be executed on one or more processors and stored on a computer-readable storage medium. Implemented as a command. Alternatively, compliance engine 112, agent 116, compliance engine 212, compliance rule 214, configuration reference 230, compliance record 232, agent 216, compliance engine 412, compliance rule 414, configuration reference 430, compliance record 432, agent 416, and Each of the components described therein and flowchart 300 and/or flowchart 500 may be implemented as hardware logic/electrical circuits. In embodiments, compliance engine 112, agent 116, compliance engine 212, compliance rule 214, configuration reference 230, compliance record 232, agent 216, compliance engine 412, compliance rule 414, configuration reference 430, compliance record 432, agent 416 , and/or each of the components described therein, as well as flowchart 300 and/or flowchart 500, may be implemented in one or more SoCs (systems on a chip). An SoC may include one or more of a processor (e.g., central processing unit (CPU), microcontroller, microprocessor, digital signal processor (DSP), etc.), memory, one or more communication interfaces, and/or further circuitry. The integrated circuit chip may include a plurality of integrated circuit chips and, optionally, may include embedded firmware for executing received program code and/or performing functions.

[0061] FIG. 7 depicts a block diagram of an example mobile device 700 that includes various optional hardware and software components, generally designated as component 702. computing device 104, computing device 204, third party computing device 218, IoT device 220, computing device 404, computing device 604, server 102, server 402, server 602, compliance engine 112, agent 116, compliance engine 212 , compliance rule 214, configuration reference 230, compliance record 232, agent 216, compliance engine 412, compliance rule 414, configuration reference 430, compliance record 432, agent 416, and/or each of the components described therein. , and any number and combination of features/elements of flowchart 300 and/or flowchart 500 may be incorporated into mobile device embodiments and additional and/or alternative features/elements, as known by those skilled in the art. may be implemented as included component 702. Note that any component 702 can communicate with any other component 702, although not all connections are shown for ease of illustration. Mobile device 700 may include various mobile devices described or referenced elsewhere herein or otherwise known (e.g., cell phones, smart phones, handheld computers, personal digital assistants (PDAs)). wireless two-way communication with one or more mobile devices via one or more communication networks 704, such as a cellular or satellite network, or with a local area network or wide area network. can be made possible.

[0062] The illustrated mobile device 700 is referred to as a processor circuit 710 for performing tasks such as signal encoding, image processing, data processing, input/output processing, power control, and/or other functions. It can include a controller or a processor. Processor circuitry 710 may include electrical and/or optical circuits implemented in one or more physical hardware electrical circuit device elements, and/or central processing units (CPUs), microcontrollers, microprocessors, and/or others. A circuit device (semiconductor material chip or die) that is integrated as a physical hardware processor circuit. Processor circuit 710 may execute program code stored on a computer-readable medium, such as one or more applications 714, operating system 712, any program code stored in memory 720, and the like. Operating system 712 controls the allocation and use of components 702 and may support one or more application programs 714 (also known as applications, “apps,” etc.). Application programs 714 include general mobile computing applications (e.g., email applications, calendars, contact managers, web browsers, messaging applications) and any other computing applications (e.g., word processing applications, mapping applications, media player application).

[0063] As illustrated, mobile device 700 may include memory 720. Memory 720 may include non-removable memory 722 and/or removable memory 724. Non-removable memory 722 may include RAM, ROM, flash memory, hard disk, or other well-known memory storage technologies. Removable memory 724 may include flash memory or other well-known memory storage technologies such as subscriber identity module (SIM) cards or "smart cards" as are well known in GSM communication systems. . Memory 720 may be used to store data and/or code for executing operating system 712 and applications 714. Exemplary data includes web pages, text, images, sound files, video data sent to and from one or more network servers or other devices over one or more wired or wireless networks. , or other datasets. Memory 720 may be used to store subscriber identifiers, such as an International Mobile Subscriber Identity (IMSI), and equipment identifiers, such as an International Mobile Equipment Identifier (IMEI). Such identifiers can be sent to a network server to identify users and devices.

[0064] Many programs may be stored in memory 720. These programs include an operating system 712, one or more application programs 714, and other program modules and program data. Examples of such application programs or program modules include computer program logic (e.g., computer program logic) for implementing the systems described above, including, for example, the device compliance management embodiments described with reference to FIGS. program code or instructions).

[0065] The mobile device 700 includes one or more input devices 730, such as a touch screen 732, a microphone 734, a camera 736, a physical keyboard 738, and/or a trackball 740, and one or more input devices, such as a speaker 752 and a display 754. Multiple output devices 750 can be supported.

[0066] Other possible output devices (not shown) may include piezoelectric or other tactile output devices. Some devices can provide multiple input/output functions. For example, touch screen 732 and display 754 can be combined into a single input/output device. Input device 730 may include a natural user interface (NUI).

[0067] Wireless modem 760 can be coupled to an antenna (not shown) to support bi-directional communication between processor circuitry 710 and external devices, as is well understood in the art. Can be done. Modem 760 is illustrated generally and can include a cellular modem 766 for communicating with mobile communication network 704 and/or other wireless-based modems (eg, Bluetooth 764 and/or Wi-Fi 762). Cellular modem 766 may be configured to allow calls (and optionally the transmission of data) according to any suitable communication standard or technology, such as GSM, 3G, 4G, 5G, etc. At least one of the wireless modems 760 typically connects to a GSM network, for example, for data and voice communications within a single cellular network, between multiple cellular networks, or between a mobile device and a public switched telephone network (PSTN). configured for communication with one or more cellular networks, such as.

[0068] The mobile device 700 includes at least one input/output port 780, a power source 782, a satellite navigation system receiver 784, such as a Global Positioning System (GPS) receiver, an accelerometer 786, and/or A physical connector 790, which can be a USB port, an IEEE 1394 (Firewire) port, and/or an RS-232 port, can also be included. The illustrated components 702 are not required or exhaustive as any component may not be present and other components may additionally be present as recognized in the art.

[0069] FIG. 8 further illustrates computing device 104, computing device 204, third party computing device 218, IoT device 220, computing device 404, computing device 604, server 102, server 402, server 602, compliance engine 112, agent 116, compliance engine 212, compliance rule 214, configuration reference 230, compliance record 232, agent 216, compliance engine 412, compliance rule 414, configuration reference 430, compliance record 432, agent 416, and/or 8 illustrates an example implementation of a computing device 800 on which embodiments may be implemented, including each of the components described herein, as well as flowchart 300 and/or flowchart 500. The description of computing device 800 provided herein is provided for illustrative purposes and is not intended to be limiting. Embodiments may be implemented in additional types of computer systems, as known to those skilled in the art.

[0070] As shown in FIG. 8, computing device 800 includes one or more processors, referred to as processor circuitry 802, a system memory 804, and various system components including system memory 804. and a bus 806 coupled to 802 . Processor circuitry 802 includes electrical and/or optical circuits implemented in one or more physical hardware electrical circuit device elements, and/or central processing units (CPUs), microcontrollers, microprocessors, and/or others. A circuit device (semiconductor material chip or die) that is integrated as a physical hardware processor circuit. Processor circuit 802 may execute program code stored on a computer-readable medium, such as operating system 830 program code, application programs 832, other programs 834, and the like. Bus 806 may be any one or more of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. represents. System memory 804 includes read only memory (ROM) 808 and random access memory (RAM) 810. A basic input/output system 812 (BIOS) is stored in ROM 808.

[0071] The computing device 800 also includes the following drives: a hard disk drive 814 for reading from and writing to a hard disk, a magnetic disk drive 816 for reading from and writing to a removable magnetic disk 818, and a CD ROM, DVD ROM, or other One or more optical disk drives 820 are included for reading from and writing to removable optical disks 822, such as optical media. Hard disk drive 814, magnetic disk drive 816, and optical disk drive 820 are connected to bus 806 by hard disk drive interface 824, magnetic disk drive interface 826, and optical drive interface 828, respectively. Drives and their associated computer-readable media provide non-volatile storage of computer-readable instructions, data structures, program modules, and other data for a computer. Although hard disks, removable magnetic disks, and removable optical disks are mentioned, other types of hardware-based computer-readable storage may be used, such as flash memory cards, digital video disks, RAM, ROM, and other hardware storage media. Media can also be used to store data.

[0072] Many program modules may be stored on a hard disk, magnetic disk, optical disk, ROM, or RAM. These programs include an operating system 830, one or more application programs 832, other programs 834, and program data 836. Application program 832 or other program 834 may include computer program logic (e.g., computer program code) for implementing the systems described above, including, for example, the device compliance management embodiments described with reference to FIGS. or instructions).

[0073] A user may enter commands and information into computing device 800 through input devices such as keyboard 838 and pointing device 840. Other input devices (not shown) may include a microphone, joystick, game pad, satellite dish, scanner, touch screen and/or touch pad, voice recognition system for receiving voice input, gesture recognition system for receiving gesture input. etc. may be included. These and other input devices are often connected to processor circuitry 802 through a serial port interface 842 coupled to bus 806, but other input devices such as a parallel port, game port, or universal serial bus (USB) interface.

[0074] Display screen 844 is also connected to bus 806 via an interface, such as a video adapter 846. Display screen 844 may be external to computing device 800 or integrated into computing device 800. Display screen 844 can be a user interface that can display information as well as receive user commands and/or other information (eg, by touch, finger gestures, virtual keyboard, etc.). In addition to display screen 844, computing device 800 may include other peripheral output devices (not shown) such as speakers and a printer.

[0075] Computing device 800 is connected to a network 848 (eg, the Internet) via an adapter or network interface 850, modem 852, or other means for establishing communications over the network. A modem 852, which may be internal or external, may be connected to bus 806 through a serial port interface 842, as shown in FIG. 8, or using another interface type, including a parallel interface. can be connected.

[0076] As used herein, the terms "computer program medium," "computer-readable medium," and "computer-readable storage medium" generally refer to hard disk drives 814, removable magnetic disks 818, removable optical disks, etc. 822, other physical hardware media such as RAM, ROM, flash memory cards, digital video disks, zip disks, MEM, nanotechnology-based storage devices, and further types of physical/tangible hardware storage media ( (including system memory 804 in FIG. 8) is used to refer to a physical hardware medium, such as a hard disk, associated with system memory 804 (including system memory 804 in FIG. 8). Such computer-readable storage media are distinct from, and are not duplicated in, communication media. Communication media typically embodies computer-readable instructions, data structures, program modules, or other data in a modulated data signal, such as a carrier wave. The term "modulated data signal" means a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of example and not limitation, communication media includes wireless media such as acoustic, RF, infrared and other wireless media, and wire media. Embodiments are also directed to such communication media.

[0077] As mentioned above, computer programs and modules (including application programs 832 and other programs 834) may be stored on a hard disk, magnetic disk, optical disk, ROM, RAM, or other hardware storage medium. Such computer programs may also be received via network interface 850, serial port interface 852, or any other interface type. Such computer programs, when executed or loaded by an application, enable computing device 800 to implement features of the embodiments discussed herein. Such a computer program thus represents a controller of computing device 800.

[0078] Embodiments are also directed to a computer program product comprising computer code or instructions stored on any computer readable medium. Such computer program products include hard disk drives, optical disk drives, memory device packages, portable memory sticks, memory cards, and other types of physical storage hardware.
IV. Additional exemplary embodiments
[0079] Methods implemented by a server are described herein. The method includes: determining configuration settings for a computing device accessible via a network communicatively coupling the server and the computing device;
A computing device transmits configuration settings over a network to a computing device, maintains a reference to the configuration settings on a server, and provides acknowledgment that the configuration settings have been implemented by the computing device. and, in response to receiving the acknowledgment, designating the computing device as compliant.

[0080] In embodiments of the method, the method further determines whether the computing device is in compliance with the compliance rule by comparing the reference to the configuration setting with the compliance rule in response to detection of the trigger event. to determine whether the computing device remains in compliance, and to prevent the computing device from accessing resources accessible through the network and to determine that the computing device is no longer in compliance. designating a computing device as out of compliance with a compliance rule and determining that the computing device remains compliant. and maintaining the designation.

[0081] In embodiments of the method, the resource is at least one of a network-accessible email server, a network-accessible data repository, or a network-accessible application server. Provide one.

[0082] In an embodiment of the method, the method further includes, in response to determining that the computing device is no longer compliant, creating a new configuration setting that is compliant with the compliance rule. comprising transmitting to a computing device over a network.

[0083] In embodiments of the method, the triggering event is the expiration of a predetermined period of time, an indication received from the computing device that the second configuration setting of the computing device has changed, or a user and at least one indication that the computing device has been logged into the computing device.

[0084] In embodiments of the method, the configuration settings include cryptographic settings implemented by the computing device, security settings implemented by the computing device, or applications or operating systems that need to be installed on the computing device. Specify at least one minimum version of at least one of the systems.

[0085] In embodiments of the method, determining configuration settings for the computing device includes identifying a user logged into the computing device and determining configuration settings associated with the user and the computing device. and determining.

[0086] Servers are also described herein. The server includes at least one processor circuit and at least one memory storing program code configured to be executed by the at least one processor circuit, the program code being in communication between the server and the computing device. determines configuration settings for a computing device accessible through a network that binds to the network, transmits the configuration settings to the computing device over the network, and maintains a reference to the configuration settings in a server. , receiving, over the network, an acknowledgment from the computing device that the configuration settings have been implemented by the computing device, and in response to receiving the acknowledgment, the computing device is in compliance with the compliance rules. Have a compliance engine configured to specify devices.

[0087] In embodiments of the server, the compliance engine further determines whether the computing device is in compliance with the compliance rule by comparing the reference to the configuration setting to the compliance rule in response to detection of the triggering event. compliance, in response to determining whether the computing device continues to be compliant, preventing the computing device from accessing resources accessible through the network, and determining that the computing device is no longer compliant. Designate a computing device as out of compliance with a rule and maintain the designation of the computing device as compliant upon a determination that the computing device remains compliant It is configured as follows.

[0088] In the server embodiment, the resource is at least one of a network-accessible email server, a network-accessible data repository, or a network-accessible application server. Equipped with

[0089] In embodiments of the server, the compliance engine further configures the network to be compliant with compliance rules and new configuration settings in response to a determination that the computing device is no longer compliant. configured to transmit to a computing device via.

[0090] In embodiments of the server, the triggering event is the expiration of a predetermined period of time, an indication received from the computing device that a second configuration setting of the computing device has changed, or a user and at least one indication indicating that the user has logged into the logging device.

[0091] In server embodiments, the configuration settings may include encryption settings implemented by the computing device, security settings implemented by the computing device, or applications or operating systems that must be installed on the computing device. Specify at least one minimum version of at least one of .

[0092] In embodiments of the server, the compliance engine is further configured to determine configuration settings for the computing device, including identifying a user who is logged in to the computing device and providing information about the user and the computing device. and determining associated configuration settings.

[0093] Further described herein is a computer-readable storage medium having program instructions recorded thereon that, when executed by at least one processor, perform the method. The method includes determining configuration settings for a computing device accessible via a network communicatively coupling a server and the computing device; maintaining a reference to the configuration settings in a server; receiving, over a network, an acknowledgment from the computing device that the configuration settings have been implemented by the computing device; and designating the computing device as being in compliance with the compliance rule in response to receiving the compliance rule.

[0094] In embodiments of the computer-readable storage medium, the method further comprises: causing the computing device to identify the compliance rule by comparing the reference to the configuration setting to the compliance rule in response to detecting the trigger event. Determining whether the computing device remains in compliance and preventing the computing device from accessing resources accessible through the network and determining that the computing device is no longer in compliance. designating a computing device as out of compliance with a compliance rule, and determining that the computing device remains in compliance, depending on the and maintaining the designation that it is

[0095] In embodiments of the computer-readable storage medium, the resource is one of a network-accessible email server, a network-accessible data repository, or a network-accessible application server. At least one.

[0096] In embodiments of the computer-readable storage medium, the method further includes, in response to determining that the computing device is no longer compliant, creating new configuration settings that are compliant with the compliance rules. , comprising transmitting the information to the computing device over the network.

[0097] In embodiments of the computer-readable storage medium, the triggering event is the expiration of a predetermined period of time, an indication received from the computing device that a second configuration setting of the computing device has changed, or and at least one indication that the user has logged into the computing device.

[0098] In embodiments of the computer-readable storage medium, the configuration settings include encryption settings implemented by the computing device, security settings implemented by the computing device, or applications that need to be installed on the computing device. or specify at least one minimum version of at least one of the operating systems.

[0099] In embodiments of the computer-readable storage medium, determining configuration settings for the computing device includes identifying a user logged into the computing device and identifying configuration settings associated with the user and the computing device. and determining the application settings.
V. conclusion
[0100] Although various embodiments have been described above, it is to be understood that they are presented by way of example only and not limitation. It will be apparent to those skilled in the art that various changes in form and detail may be made therein without departing from the spirit and scope of the embodiments. Accordingly, the breadth and scope of the embodiments should not be limited by any of the exemplary embodiments described above, but should be defined only in accordance with the following claims and their equivalents. .

Claims (20)

A method implemented by a server, the method comprising:
a first message indicating that a first user has logged into the specific computing device from the specific computing device accessible via a network communicatively coupling the server and the specific computing device; receiving a notification;
a reference maintained by the server for a first configuration setting associated with the first user and the particular computing device among the configuration settings existing for each user and computing device pair; wherein the reference specifies that the particular computing device implements the first configuration setting when the first user logs into the particular computing device. , the steps to obtain
determining that the first configuration setting does not comply with a compliance rule;
Based on determining that the first configuration setting does not comply with the compliance rule,
designating the particular computing device as non-compliant with the compliance rule; and specifying, when performed by the particular computing device, causing the particular computing device to comply with the compliance rule. transmitting second configuration settings to the particular computing device via the network. The method according to claim 1,
In response to specifying that the particular computing device is out of compliance with the compliance rule, the particular computing device is accessed via the network until the particular computing device becomes compliant. The method further comprises the step of preventing access to the available resources. 3. The method of claim 2, wherein the resource is:
an email server accessible via said network;
The method comprises at least one of: a data repository accessible via the network; or an application server accessible via the network. The method of claim 1, further comprising receiving an indication from the particular computing device that a third configuration setting of the particular computing device has been changed. 2. The method of claim 1, wherein the first configuration setting comprises:
encryption settings implemented by the particular computing device;
The method specifies at least one of: security settings to be implemented by the particular computing device; or at least one minimum version of an application or operating system that needs to be installed on the particular computing device. The method according to claim 1,
receiving an acknowledgment from the particular computing device, the acknowledgment indicating that the particular computing device has implemented a second configuration setting;
and, in response to receiving the acknowledgment, designating the particular computing device as compliant with the modified compliance rule. The method according to claim 1,
receiving a second notification from the particular computing device indicating that a second user has logged into the particular computing device;
retrieving third configuration settings associated with the second user and the particular computing device from the reference, the reference being a third configuration setting associated with the second user and the particular computing device; specifying that the particular computing device implements the third configuration setting when logged into the computer;
determining that the third configuration setting complies with the compliance rule; and in response to determining that the third configuration configuration complies with the compliance rule , The method further comprises: designating a computing device as compliant. A server,
at least one processor circuit;
at least one memory storing program code configured to be executed by the at least one processor circuit, the program code comprising:
a first notification from the particular computing device accessible via a network communicatively coupling the server and the particular computing device, indicating that a first user has logged into the particular computing device; receive and
A first configuration setting associated with the first user and the particular computing device, of the configuration settings existing for each pair of user and computing device, from a reference maintained by the server. obtained, the reference specifies that the particular computing device implements the first configuration setting when the first user logs into the particular computing device;
determining that the first configuration setting does not comply with a compliance rule;
Based on determining that the first configuration setting does not comply with the compliance rule,
designating the particular computing device as non-compliant with the compliance rule; and a step causing the particular computing device to comply with the compliance rule when implemented by the particular computing device. a compliance engine configured to send configuration settings of No. 2 to the particular computing device over the network. 9. The server of claim 8, wherein the compliance engine comprises:
In response to specifying that the particular computing device is out of compliance with the compliance rule, the particular computing device is accessed via the network until the particular computing device becomes compliant. The server is further configured to prevent access to available resources. 10. The server according to claim 9, wherein the resource is:
an email server accessible via said network;
A server comprising at least one of: a data repository accessible via the network; or an application server accessible via the network. 9. The server of claim 8, wherein the compliance engine is configured to receive an indication from the particular computing device that a third configuration setting of the particular computing device has been changed. Furthermore, the server is configured. 9. The server of claim 8, wherein the first configuration setting is:
encryption settings implemented by the particular computing device;
security settings implemented by said particular computing device; or
A server that specifies at least one minimum version of at least one of an application or operating system that needs to be installed on the particular computing device. 9. The server of claim 8, wherein the compliance engine comprises:
receiving an acknowledgment from the particular computing device, the acknowledgment indicating that the particular computing device has implemented the second configuration setting;
The server is further configured to designate the particular computing device as being compliant with the modified compliance rule in response to receiving the acknowledgment. 9. The server of claim 8, wherein the compliance engine comprises:
receiving a second notification from the particular computing device indicating that a second user has logged into the particular computing device;
third configuration settings associated with the second user and the particular computing device are obtained from the reference, the reference being configured when the second user logs into the particular computing device; specifying that the particular computing device implements the third configuration setting;
determining that the third configuration setting complies with the compliance rule;
the server further configured to designate the particular computing device as compliant in response to determining that the third configuration setting complies with the compliance rule; . A computer-readable storage medium having program instructions recorded thereon that, when executed by at least one processor of a server, performs a method, the method comprising:
a first message indicating that a first user has logged into the specific computing device from the specific computing device accessible via a network communicatively coupling the server and the specific computing device; receiving a notification;
a reference maintained by the server for a first configuration setting associated with the first user and the particular computing device among the configuration settings existing for each user and computing device pair; wherein the reference specifies that the particular computing device implements the first configuration setting when the first user logs into the particular computing device. , the steps to obtain
determining that the first configuration setting does not comply with a compliance rule;
Based on determining that the first configuration setting does not comply with the compliance rule,
designating the particular computing device as non-compliant with the compliance rule; and when performed by the particular computing device, the particular computing device complies with the compliance rule. transmitting second configuration settings over the network to the particular computing device. 16. The computer readable storage medium of claim 15, wherein the method comprises:
In response to specifying that the particular computing device is out of compliance with the compliance rule, the particular computing device is accessed via the network until the particular computing device becomes compliant. The computer-readable storage medium further comprises preventing access to the available resources. 17. The computer-readable storage medium of claim 16, wherein the resource comprises:
an email server accessible via said network;
A computer-readable storage medium comprising at least one of: a data repository accessible via the network; or an application server accessible via the network. 16. The computer readable storage medium of claim 15, wherein the method comprises:
The computer-readable storage medium further comprising receiving an indication from the particular computing device that a third configuration setting of the particular computing device has been changed. 16. The computer readable storage medium of claim 15, wherein the first configuration setting comprises:
encryption settings implemented by the particular computing device;
security settings implemented by said particular computing device; or
A computer-readable storage medium specifying at least one of at least one minimum version of an application or operating system that needs to be installed on the particular computing device. 16. The computer readable storage medium of claim 15, wherein the method comprises:
receiving an acknowledgment from the particular computing device, the acknowledgment indicating that the particular computing device has implemented a second configuration setting;
and, in response to receiving the acknowledgment, designating the particular computing device as being compliant with the modified compliance rule.